git.ipfire.org Git - thirdparty/iptables.git/commit

author	Liping Zhang <liping.zhang@spreadtrum.com>
	Fri, 7 Oct 2016 11:08:51 +0000 (19:08 +0800)
committer	Pablo Neira Ayuso <pablo@netfilter.org>
	Fri, 14 Oct 2016 16:59:35 +0000 (18:59 +0200)
commit	129ed57b8e050e8e57deeefc2ed36ec979265d8a
tree	026db10e09ee8100358a5c6aff9486cf1e36dd97	tree \| snapshot
parent	837ca1e34893c67d8e195a4132d1517cb7d4bb11	commit \| diff

extensions: libxt_iprange: handle the invert flag properly in translation

If we specify the invert flag, we should put "!=" after "ip saddr/daddr",
so the current translation is wrong:
  # iptables-translate -A OUTPUT -m iprange ! --dst-range 1.1.1.1-1.1.1.2
  nft add rule ip filter OUTPUT != ip daddr 1.1.1.1-1.1.1.2 counter

  # ip6tables-translate -A OUTPUT -m iprange ! --src-range 2003::1-2003::3
  nft add rule ip6 filter OUTPUT != ip6 saddr 2003::1-2003::3 counter

Apply this patch:
  # iptables-translate -A OUTPUT -m iprange ! --dst-range 1.1.1.1-1.1.1.2
  nft add rule ip filter OUTPUT ip daddr != 1.1.1.1-1.1.1.2 counter

  # ip6tables-translate -A OUTPUT -m iprange ! --src-range 2003::1-2003::3
  nft add rule ip6 filter OUTPUT ip6 saddr != 2003::1-2003::3 counter

Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>